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(54) Method for intrusion detection in a database system 



(57) A method for detecting intrusion in a database, 
managed by an access control system, comprising de- 
fining at least one intrusion detection profile, each com- 
prising at least one item access rate and associating 
each user with one of said profiles. Further, the method 
determines whether a result of a query exceeds any one 
of the item access rates defined in the profile associated 
with the user, and, in that case, notifies the access con- 



trol system to alter the user authorization, thereby mak- 
ing the received request an unauthorized request, be- 
fore said result is transmitted to the user. 

The method allows for a real time prevention of in- 
trusion by letting the intrusion detection process interact 
directly with the access control system, and change the 
user authority dynamically as a result of the detected 
intrusion. 
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Description 

Technical field 

[0001] The present invention relates to a method for 
detecting intrusion in a database managed by an access 
control system. 

Technical background 

[0002] In database security, it is a well known problem 
to avoid attacks from persons who have access to a val- 
id user-ID and password. Such persons cannot be de- 
nied access by the normal access control system, as 
they are in fact entitled to access to a certain extent. 
Such persons can be tempted to access improper 
amounts of data, by-passing the security Solutions to 
this problem have been suggested: 

Network-Based Detection 

[0003] Network intrusion monitors are attached to a 
packet-filtering router or packet sniffer to detect suspi- 
cious behavior on a network as they occur. They look 
for signs that a network is being investigated for attack 
with a port scanner, that users are falling victim to known 
traps like .url or .Ink, or that the network is actually under 
an attack such as through SYN flooding or unauthorized 
attempts to gain root access (among other types of at- 
tacks). Based on user specifications, these monitors 
can then record the session and alert the administrator 
or, in some cases, reset the connection. Some exam- 
ples of such tools include Cisco's NetRanger and ISS' 
RealSecure as well as some public domain products like 
Klaxon that focus on a narrower set of attacks. 

Server-Based Detection 

[0004] These tools analyze log, configuration and da- 
ta files from individual servers as attacks occur, typically 
by placing some type of agent on the server and having 
the agent report to a central console. Some examples 
of these tools include Axent's OmniGuard Intrusion De- 
tection (ITA), Security Dynamic's Kane Security Monitor 
and Centrax's eNTrax as well as some public domain 
tools that perform a much narrower set of functions like 
Tripwire which checks data integrity. 
[0005] Tripwire will detect any modifications made to 
operating systems or user files and send alerts to ISS* 
RealSecure product. Real-Secure will then conduct an- 
other set of security checks to monitor and combat any 
intrusions. 

Security Query and Reporting Tools 

[0006] These tools query NOS logs and other related 
logs for security events or they glean logs for security 
trend data. Accordingly, they do not operate in real-time 



and rely on users asking the right questions of the right 
systems. A typical query might be how many failed au- 
thentication attempts have we had on these NT servers 
in the past two weeks." A few of them (e.g., SecurIT) 
5 perform firewall log analysis. Some examples of such 
tools include Bindview's EMS/NOSadmin and Enter- 
prise Console, SecurelT's SecureVIEW and Security 
Dynamic's Kane Security Analyst. 

10 Inference detection 

[0007] A variation of conventional intrusion detection 
is detection of specific patterns of information access, 
deemed to signify that an intrusion is taking place, even 
15 though the user is authorized to access the information. 
A method for such inference detection, i.e. a pattern ori- 
ented intrusion detection, is disclosed in US patent 
5278901 to Shieh et al. 

[0008] None of these solutions are however entirely 
20 satisfactory. The primary drawback is that they all con- 
centrate on already effected queries, providing at best 
an information that an attack has occurred. 

Summary of the invention 

25 

[0009] It is an object of the present invention to pro- 
vide a method and a system for intrusion detection. 
[0010] According to the invention, this and other ob- 
jects are achieved by defining at least one intrusion de- 

30 tection profile, each comprising at least one item access 
rate, associating each user with one of said profiles, re- 
ceiving a query from a user, comparing a result of said 
query with the item access rates defined in the profile 
associated with the user, determining whether said que- 

35 ry result exceeds said item access rates, and in that 
case notifying the access control system to alter the user 
authorization, thereby making the received request an 
unauthorized request, before said result is transmitted 
to the user. 

40 [001 1] According to this method, the result of a query 
is evaluated before it is transmitted to the user. This al- 
lows for a real time prevention of intrusion, where the 
attack is stopped even before it is completed. This is 
possible by letting the intrusion detection process inter- 
ns act directly with the access control system, and change 
the user authority dynamically as a result of the detected 
intrusion. 

[0012] The item access rates can be defined based 
the number of rows a user may access from an item, e. 
so g. a column in a database table, at one time, or over a 
certain period of time. 

[0013] In a preferred embodiment, the method further 
comprises accumulating results from performed queries 
in a record, and determining whether the accumulated 
55 results exceed any one of said item access rates. The 
effect is that on one hand, a single query exceeding the 
allowed limit can be prevented, but so can a number of 
smaller queries, each one on its on being allowed, but 
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when accumulated not being allowed. 
[0014] It should be noted that the accepted item ac- 
cess rates not necessarily are restricted to only one us- 
er. On the contrary, it is possible to associate an item 
access rate to a group of users, such as users belonging 
to the same access role (which defines the user's level 
of security), or connected to the same server. The result 
will be restricting the queries accepted from a group of 
users at one time or over a period of time. 
[0015] The user, role and server entities are not ex- 
clusive of other entities which might benefit from a se- 
curity policy. 

[0016] According to an embodiment of the invention, 
items subject to item access rates are marked in the da- 
tabase, so that any query concerning said items auto- 
matically can trigger the intrusion detection process. 
This is especially advantageous if only a few items are 
intrusion sensitive, in which case most queries are not 
directed to such items. The selective activation of the 
intrusion detection will then save time and processor 
power. 

[0017] According to another embodiment of the inven- 
tion, the intrusion detection policy further includes at 
least one inference pattern, and results from performed 
queries are accumulated in a record, which is compared 
to the inference pattern, in order to determine whether 
a combination of accesses in said record match said in- 
ference policy, and in that case the access control sys- 
tem is notified to alter the user authorization, thereby 
making the received request an unauthorized request, 
before said result is transmitted to the user. 
[001 8] This embodiment provides a second type of in- 
trusion detection, based on inference patterns, again re- 
suiting in a real time prevention of intrusion. 

Brief description of the drawings 

[0019] These and other aspects of the invention will 
be apparent from the preferred embodiments more 
clearly described with reference to the appended draw- 
ings. 

[0020] Fig 1 shows a database environment in which 
an embodiment of the present invention is implemented. 
[0021] Fig 2 is a schematic flowchart of an embodi- 
ment of the method according to the invention. 

Detailed description of the currently preferred 
embodiment 

[0022] The present invention may be implemented in 
an environment of the type illustrated in fig 1 . The envi- 
ronment comprises a number of clients 1 , connected to 
a server 2, e.g. a Secure. Data™ server from Protegrity, 
providing access to a database 3 with encrypted data 4. 
Several clients 1 can be connected to an intermediate 
server 5 (a proxy server), in which case we have a so 
called three tier application. 

[0023] Users 6 use the clients 1 to access information 



4 in the database 3. In order to verify and authorize at- 
tempted access, an access control system (ACS) 7 is 
implemented, for example Secure. Server™ from Prote- 
grity. 

5 [0024] The server is associated with an intrusion de- 
tection module 1 0, comprising software components 12, 

13 and 18 for performing the method according to the 
invention. 

[0025] Although the intrusion detection module 10 
10 here is described as a separate software module, its 
components can be incorporated in the server software 
2, for example in a security administration system (SAS) 
8, like Secure. Manager™ from Protegrity. It can reside 
in the server hardware 16, or in a separate hardware 
*5 unit. 

[0026] A first component 1 2 of the intrusion detection 
module 10 enables marking of some or all data items 
(e.g. columns in tables) in the database, thereby indi- 
cating that these items should be monitored during the 
20 intrusion detection process, as described below. 

[0027] A second component 1 3 of the intrusion detec- 
tion module 10 is adapted to store all results from que- 
ries including marked items, thereby creating a record 

14 of accumulated access of marked items. If advanta- 
25 geous, the record can be kept in a separate log file 15, 

for long term storage, accumulating data access over a 
longer period of time. 

[0028] The server 2 further has access to a plurality 
of security policies 20, preferably one for each user, one 

30 for each defined security role, or the like. These security 
policies can be stored in the security administration sys- 
tem 8, but also be stored outside the server. Each policy 
20 includes one or several item access rates 21 and op- 
tionally an inference pattern 22. 

35 [0029] An item access rate 21 defines the maximum 
number of rows of the selected item (e.g. column of a 
table) that a given user, role or server may access during 
a given period of time. The period of time can be defined 
as one single query, but can also be an accumulation of 

^0 queries during a period of time. Preferably, a separate 
item access rate- is defined for at least each item that 
has been marked in the database 3 by the component 
12 of the intrusion detection module 10. 
[0030] An inference pattern 22 defines a plurality of 

^5 items (columns of certain tables) that when accesses in 
combination may expose unauthorized information. 
This means that an attempt by a user, role or server to 
access certain quantities of information from items in an 
inference pattern during a given period of time (e.g. in 

50 one request) implies that an intrusion is taking place, 
even if the associated item access rates have not been 
exceeded. For further information about the inference 
concept of intrusion, see US 5278901. 
[0031] Returning to the intrusion detection module 10, 

55 a third component 18 is adapted to compare the result 
of a query with an item access rate 21 and an inference 
pattern 22. The component 18 can also compare the ac- 
cess rates 21 and inference patterns 22 with accumu- 
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lated results, stored in the record 14 or log file 15. 
[0032] When a user tries to access a database, the 
access control system 7 completes an authority check 
of the user. Different routines can be used, including au- 
tomatic authorization by detecting IP-address, or a 5 
standard login routine. In one embodiment, the author- 
ized user will only have access to items defined in his 
role, i.e. the table columns that the user is cleared for 
and uses in his/her work. The access control system 7 
then continually monitors the user activity, and prevents 
the user from accessing columns he/she is not cleared 
for. This process is described in detail in WO 97/49211, 
hereby incorporated by reference. 
[0033] The intrusion detection according to the de- 
scribed embodiment of the invention is directed toward 
the situation where a user, authorized to access certain 
items, abuses this authority and tries to obtain informa- 
tion broaching the security policy of the database owner. 
The intrusion detection is divided into two different stag- 
es, a real time stage and an a posteriori analysis stage. 

Real time: 

[0034] With reference to fig 2, a request is received 
by the server in step S 1 , resulting in the generation of a 
result in step S2, i.e. a number of selected rows from 
one or several table columns. The software component 
12 determines (step S3) if any items in the result are 
marked for monitoring in the database. If no marked 
items are included in the result, the result is communi- 
cated to the user in a standard way (step S4). If, how- 
ever, mared items are included in the result, the intrusion 
detection component 13 stores the query result, or at 
least those parts referring to the marked items, in the 
record 14, and the program control initiates the intrusion 
detection (step S6-S10). 

[0035] First, in step S6, the intrusion detection com- 
ponent 18 compares the current query 'result and the 
updated record 14 with the item access rate 21 included 
in the security policy associated with the current user, 
the role that the user belongs to, or the server the user 
is connected to. Note that only item access rates 21 as- 
sociated with the marked items comprised in the current 
result need to be compared. 

[0036] If the current query result or accumulated 
record 14 includes a number of rows exceeding a par- 
ticular item access rate 21, such a request will be clas- 
sified as an intrusion (step S7), and the access control 
system 7 will be alerted (step S10) . 
[0037] Secondly, in step S8, if no item access rate is 
exceeded, the intrusion detection process compares the 
query result and accumulated record 14 with any infer- 
ence pattern included in the relevant security policy. If 
the result includes a combination of items that match the 
defined inference pattern, such a request will also be 
classified as an intrusion (step S9), and the access con- 
trol system will be alerted (step S10). 
[0038] If no intrusion is found in step S7 nor step S9, 



the program control advances to step S4 and commu- 
nicates the result to the user. 

[0039] Upon an ACS alert (step S1 0), the access con- 
trol system 7 is arranged to immediately alter the user 
authorization, thereby making the submitted request un- 
authorized. This can be effected easily, for example if 
the ACS 7 is part of the Secure.Data™ server from Pro- 
teg rity. 

[0040] For the user, the request, or at least parts of 
the request directed to items for which the item access 
rate was exceeded, will thus appear to be unauthorized, 
even though authority was initially granted by the access 
control system 7. 

[0041] In addition to the immediate and dynamic al- 
teration of the access control system 7, other measures 
can be taken depending on the seriousness of the intru- 
sion, such as sending an alarm to e.g. the administrator, 
or shutting down the entire database. The server soft- 
ware 11 can send an alarm to a waiting process that a 
potential breach of security is occurring. 

Long term analysis: 

[0042] The query result can also be stored in the log 
file 15 by the intrusion detection module, as described 
above. The log file 1 5, which thus contains accumulated 
query results from a defined time period, can also be 
compared to the inference patterns 22 in the security 
profiles 20 of users, roles or servers, this time in a "after 
the event" type analysis. 

[0043] Even though such an analysis cannot prevent 
the intrusion from taking place, it may serve as intelli- 
gence gathering, improving the possibilities of handling 
intrusion problems. While the real time protection is 
most efficient when it comes to preventing security 
breaches, the long term analysis can be more in depth, 
and more complex, as time is no longer a critical factor. 
[0044] Many three-tier applications (e.g. connections 
with a proxy 5) authenticate users to the middle tier 5, 
and then the TP monitor or application server in the mid- 
dle tier connects to the database 3 as a super-privileged 
user, and does all activity on behalf of ail users 6 using 
the clients 1. Preferably, the invention is implemented 
in a system, for example Secure.Data™ from Protegrity, 
in which the identity of the real client is preserved over 
the middle tier thereby enabling enforcement of "least 
privilege" through a middle tier. The intrusion detection 
module 10 therefore can audit access requested both 
by the logged-in user who initiated the connection (e.g., 
the TP monitor), and the user on whose behalf an action 
is taken. Audit records capture both the user taking the 
action and the user on whose behalf the action was tak- 
en. Auditing user activity, whether users are connected 
through a middle tier or directly to the data server, en- 
hances user accountability, and thus the overall security 
of multitier systems. Audit records can be sent to the 
database audit trail or the operating system's audit trail, 
when the operating system is capable of receiving them. 
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This option, coupled with the broad selection of audit 
options and the ability to customize auditing with triggers 
or stored procedures, provides the flexibility of imple- 
menting an auditing scheme that suits any specific busi- 
ness needs. 



Claims 

1 . A method for detecting intrusion in a database man- 
aged by an access control system, comprising: 

defining at least one intrusion detection profile, 
each comprising at least one item access rate, 
associating each user with one of said profiles, 
receiving a query from a user, 
determining whether a result of said query ex- 
ceeds any one of the item access rates defined 
in the profile associated with the user, and, in 
that case, 

notifying the access control system to alter the 
user authorization, thereby making the re- 
ceived request an unauthorized request, before 
said result is transmitted to the user. 



8. The method of any of the preceding claims, wherein 
one of said at least on item access rates defines the 
number of rows a group of users may access from 
a database item over a period of time. 

5 

9. The method of any of the preceding claims, wherein 
the intrusion detection policy further includes at 
least one inference pattern, the method further 
comprising: 

10 

accumulating results from performed queries in 
a record, 

comparing said record with said inference pat- 
tern, in order to determine whether a combina- 

15 tion of accesses in said record match said in- 

ference policy, and in that case 
notifying the access control system to alter the 
user authorization, thereby making the re- 
ceived request an unauthorized request, before 

20 said result is transmitted to the user. 



25 

2. The method of claim 1 , further comprising: 



accumulating results from performed queries in 
a record, and 

determining whether the accumulated results 30 
exceed any one of said item access rates. 

3. The method of claim 1 or 2, wherein items subject 
to item access rates are marked in the database, 
any query concerning said items automatically trig- 35 
gering the intrusion detection. 

4. The method of claim 3, wherein the step of deter- 
mining whether an item access rate is exceeded in- 
cludes determining if the query result includes rows *o 
from marked items, and only in that case proceed- 
ing with the intrusion detection process. 

5. The method of any of the preceding claims, wherein 
one of said at least one item access rates defines 
the number of rows a user may access from a da- 
tabase item at one time. 



6. The method of any of the preceding claims, wherein 
one of said at least on item access rates defines the 50 
number of rows a group of users may access from 
a database item at one time. 



7. The method of any of the preceding claims, wherein 
one of said at least on item access rates defines the 55 
number of rows that may be accessed from a data- 
base item over a period of time. 
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